1. Field of the Invention
The present invention relates to mechanisms for protecting software against unauthorized use, in particular against unauthorized copying.
2. Description of the Related Art
The Business Software Alliance estimates the 1995 financial losses attributed to software piracy as US$ 8.1 Billion for business application software and US$ 15.2 Billion for all software.
Solutions have been proposed in two areas:
improved Intellectual Property Rights (IPR) legislation, and
enhanced electronic copy protection (ECP) mechanisms.
IPR legislation and enforcement are improving in many countries, but there are still significant difficulties in other parts of the world. As a result, some vendors are currently reassessing ECP.
Some example requirements that an ECP mechanism may potentially satisfy are listed below:
Unauthorized users or customers should be prohibited from executing protected software.
The customer should not be prohibited from making backups.
The ECP mechanism should have minimal impact upon the user interface. The visible impact should be limited to the first initial login to the operating system and/or smart card.
Only standard hardware and software assumptions should be made. For example, although hardware dongles provide copy protection services, many vendors do not wish to limit the sale of the software to the collection of customers who own or are willing to install a dongle.
The ECP mechanism should not limit execution of the protected software to a limited collection of machines. When a customer legitimately purchases software, the customer should be able to execute the software on any machine regardless of ownership. The customer should optionally be able to authorize simultaneous execution of the software in multiple machines.
The ECP mechanism should have no required network dependencies in order to execute an already purchased protected program.
The vendor should be permitted to distribute an identical version of the protected software to all customers. This requirement permits the protected software to be distributed through normal channels such as, for example, CD-ROMs, floppy disks, or network bulletin boards.
It should be excessively difficult and/or computationally infeasible for a potential software pirate to circumvent the ECP mechanism without modifying the protected program. This requirement serves as a virus-protection measure because a digital signature supplied by the vendor would not validate if a pirate distributes a modified version of the original program.
The ECP mechanism should not disclose the private keying material to the vendor, to any program produced by the vendor, or to any potential Trojan horse program. Though the primary functionality is to protect the software vendor, one must not do so at the expense of the customer.
The ECP mechanism should be available in a software-only version as well as in a hardware-assisted version, using a smart card, for example, to assure widespread market acceptance.
In the Choudhury et al. publication, xe2x80x9cCopyright Protection for Electronic Publishing over Computer Networksxe2x80x9d, a mechanism is proposed in which a protected document can be viewed only via a specially configured viewer program, which allows a customer to view the document only if the customer supplies to the viewer the customer""s private keying material. This deters the customer from distributing unauthorized copies of the viewer program since that would require the customer to divulge his or her private keying material to others. However, because this mechanism requires that the viewer program obtain access to the private keying material, it violates one of the requirements described above. Furthermore, this mechanism may not be used in conjunction with a smart card that is configured to avoid releasing private keying material.
An overview of asymmetric cryptography, for example of the RSA (Rivest-Shamir-Adleman) scheme, and probabilistic encryption, for example the Blum-Goldwasser probabilistic public-key encryption scheme, can be found in a book by Menezes, et al., xe2x80x9cHandbook of Applied Cryptographyxe2x80x9d.
The Chi-Square Test, the Kolmogorov-Smirnov Test, and the Serial Correlation Test are described in a publication by Knuth, xe2x80x9cThe Art of Computer Programming.xe2x80x9d
An overview of digital signature schemes (e.g. Rivest-Shamir-Adleman (RSA), etc.,) can be found in the Menezes book.
In a publication by Fenstermacher et al., cryptographic randomness from air turbulence in disk drives is described.
An example of a message digest function (otherwise known as a one-way hash function) is MD5, see Rivest, xe2x80x9cThe MD5 Message-digest Algorithm.xe2x80x9d It is computationally infeasible or very difficult to compute the inverse of a message digest.
An object of the present invention is to provide an improved ECP (electronic copy protection) mechanism that is able to satisfy most, if not all, of the example requirements described above.
The present invention makes use of an asymmetric confidentiality protocol. An asymmetric confidentiality protocol involves two parties, A and B. A possesses private keying material and B has no access to A""s private keying material without disclosing the private keying material itself. At the beginning, A and B have no shared secret. During the method, a shared secret becomes known to A and B. A proves to B that A has access to the private keying material.
An example of an asymmetric confidentiality proof is public key encryption. As illustrated in the asymmetric confidentiality protocol below. A proves to B that A has access to the private keying material.
A←B: h(r), B, PA(r,B)
Axe2x86x92B: r
The protocol scheme described above uses the following notation:
Axe2x86x92B denotes that A sends a message to B; and Bxe2x86x92A denotes that B sends a message to A.
r denotes a random number used as a nonce
h(r) is a message digest of the nonce
PA(r,B) is encryption of the nonce and B""s identity using A""s public keying material.
Here, B generates a nonce and encrypts the nonce (together with B""s identity) using A""s public keying material, i.e., PA(r,B).
Additionally B computes the message digest of the nonce, h(r).
B sends the information described above, along with a value representing B""s identity, to A.
Next, A uses its private keying material to decrypt PA(r,B) obtaining r,B. A computes the message digest of the decrypted random value, r, and compares the result against h(r)obtained from B.
At this point, the random number is a shared secret known by both A and B.
In order to complete the protocol, A returns the random number to B in order to demonstrate that A knows the secret. Of course, once A provides the disclosure, the secrecy of the random number is lost. B validates A""s proof by checking for equality A""s returned secret against the one that B originally generated.
A second example of an asymmetric confidentiality protocol is a probabilistic encryption scheme, e.g. the Blum-Goldwasser probabilistic public key encryption scheme. Here, the encryption or decryption mechanism uses random numbers or other probabilistic means.
In all asymmetric confidentiality protocols, each customer may post his or her public keying material to a publicly accessed directory without compromising the corresponding private keying material. The customer usually should guard his or her private keying material as a close secret; otherwise, the cryptographic system may not guarantee correctness (in other words, secrecy). The best known mechanism for protecting one""s private keying material is through the use of a smart card. In this case, the smart card is a device with no interface for releasing private keying material (in a non-cryptographically protected form).
Although smart cards provide the best protection, social factors of electronic commerce may provide a role in ensuring private keying material protection. One of the significant difficulties associated with asymmetric encryption services is authentication. For example, if A posts his or her public keying material to a public directory, then how does B assess validity? That is, a pirate may attempt to masquerade as A but post the pirate""s keying material. Some commercial organizations provide solutions to this problem by acting as Certification Authorities (CA). For (possibly) a fee, the CA solicits identifying material from potential customers such as a driver""s license or passport. After validating the identifying material, the CA posts the customer""s public keying material to a public directory, and the CA signs a certificate (using a digital signature with the CA""s private key) that holds the customer""s public keying material. Standardized services, for example X.500, may be adopted to help facilitate the use of directories that contain public keying material.
Once a customer posts his or her public keying material to the CA (certification authorities), the customer will probably make an extensive effort to protect his or her private keying material. For some asymmetric keys, if the customer""s private keying material were to become unknowingly compromised, then the customer would have cause for significant concern. For example, in the case of RSA keys that can also be used for digital signatures, networked vendors could potentially authorize electronic commerce transactions.
According to the invention there is provided a computer system comprising a protection mechanism for protecting software, the protection mechanism comprising at least one challenge means associated with a protected item of software, and at least one response means with private keying material that it can access, wherein:
a) the challenge means has no access to the private keying material,
b) the challenge means and the response means comprise means for generating shared secret information, respectively, in accordance with an asymmetric confidentiality scheme,
c) the response means comprises means for proving to the challenge means that the response means has access to the private keying material by interacting with the challenge means using an asymmetric confidentiality proof scheme,
d) the challenge means comprises means for prohibiting a customer from using some or all of the items of software unless the proof is successful.
According to a further aspect of the invention, there is provided a computer system comprising means for inputting a program to be protected, and for embedding at least one challenge means in that program, wherein the challenge means comprises means for
generating shared secret information in accordance with an asymmetric confidentiality scheme,
validating the response means"" proof that the response means knows the shared secret information and
for prohibiting a customer from using some or all of the items of software unless the proof is successful.
According to a further aspect of the invention there is provided a method of distributing software to a plurality of customers wherein each customer has a computer system comprising a protection mechanism for protecting software, the protection mechanism comprising at least one challenge means associated with a protected item of software, and at least one response means with private keying material that it can access, wherein:
a) the challenge means has no access to the private keying material,
b) the challenge means and the response means comprise means for generating shared secret information in accordance with an asymmetric confidentiality scheme,
c) the response means comprises means for proving to the challenge means that the response means has access to the private keying material by interacting with the challenge means using an asymmetric confidentiality proof scheme, and
d) the challenge means comprises means for prohibiting a customer from using some or all of the items of software unless the proof is successful, and wherein every customer receives an identical copy of the protected program and of the challenge means.
According to a further aspect of the invention, there is provided a method for protecting an item of software, wherein at least one challenge means is associated with the protected item of software, and at least one response means accesses private keying material,
a) the challenge means has no access to the private keying material,
b) the challenge means and the response means generate shared secret information, respectively, in accordance with an asymmetric confidentiality scheme,
c) the response means proves to the challenge means that the response means has access to the private keying material,
d) the challenge means prohibits a customer from using some or all of the items of software unless the proof is successful.
According to a further aspect of the invention, it may be advantageous to generate a random challenge by repeatedly timing responses to device accesses in order to enforce the security of the random challenge. Although one may potentially time responses to any one of a variety of devices, in this present example we assume a disk (commonly known as a hard disk and sometimes known as a direct access storage device) is used. Additionally, it is possible to query multiple different devices when generating one particular random value.
According to a further aspect of the invention, in order to further enforce the security of the random challenge one may, while generating the random challenge, fork new threads in such a manner as to introduce an additional degree of randomness into the random challenge by exploiting unpredictabilities in the operating system""s scheduler.
According to a further aspect of the invention, in order to further enforce the security of the random challenge, one may perform a statistical test to determine the number of random bits obtained by each of the disk accesses and cause disk accesses to be repeated until a predetermined number of random bits has been obtained.